WGA 'spyware' lawsuits against Microsoft probably meritless

On the heels of what I believe can best be described as a faux pas on Microsoft's behalf (and I've already said as much), the Redmond, WA-based company is now the subject of two separate class-action suits due to the behavior of its Windows Genuine Advantage (WGA) software. Classification of WGA as spyware, which is illegal in many states (there is no federal law yet) is central to both cases.

On the heels of what I believe can best be described as a faux pas on Microsoft's behalf (and I've already said as much), the Redmond, WA-based company is now the subject of two separate class-action suits due to the behavior of its Windows Genuine Advantage (WGA) software. Classification of WGA as spyware, which is illegal in many states (there is no federal law yet) is central to both cases. While I wasn't the first to break the news that WGA may include some spyware-like attributes, I was the first to post a detailed screen gallery that replayed the entire WGA user experience from the beginning to the end of its installation. Subsequently, that gallery has been the focus of a lot of analysis on the Web and in the blogosphere because of the questions it raised about Microsoft's practices; Questions that I finally had a chance to ask of Microsoft before these lawsuits were filed and before Microsoft handed more control over WGA to end-users in response to their concerns (and also before fellow ZDNet blogger Ed Bott noted that WGA may amount to a kill switch for allegedly unauthorized installations of Windows; an assertion that Microsoft subsequently denied, but not to Bott who can't seem to get a follow-up interview with Microsoft).

My interview was of Microsoft's Windows Genuine program director David Lazar and it took place approximately three weeks ago by telephone. At first, I was sitting on it because Lazar was going to get back to me on an outstanding question about one of the End User License Agreements that's relevant to WGA. Then, my IBM Thinkpad T42's hard drive crashed (just days after it came back from Lenovo for a failed LCD) and I've been playing catch up on the stories I've been working on ever since. My WGA follow-up is one of them.

Although I am not a lawyer, my sense from that interview is that the lawsuits are without merit. While the court of public opinion may ultimately be what matters most and while Microsoft clearly could have been much forthcoming about what WGA is and how it works at the times its two primary components get installed (and has acknowledged as much), about the most I think Microsoft is guilty of is sloppiness and really bad form and I've listed the reasons why below. I also gut-checked my instincts with technology legal expert Jonathan Zittrain whose impeccable credentials can't fit in one sentence. Based on what I told him about the situation, Zittrain concurs with me and concluded that just about any legal tach against Microsoft -- for example, citing certain existing technology laws -- would probably be a stretch. Bear in mind that Zittrain has not reviewed the complaints nor has he been following the situation very closely. I tried my best to bring him up to speed on where things stand today. Not withstanding some new and relevant factual revelation, here's why the lawsuits are baseless:

Although the screen gallery I posted suggests that Microsoft may have surreptitiously installed a software component (WGA Validation) onto our computers that phones home to Microsoft's servers with information about our systems, as it turns out, it looks like we already agreed to let that happen by virtue of the End User License Agreement that we accepted during a prior installation of Microsoft's Windows Update software. Microsoft has also been offering additional disclosure on its Web sites for people seeking more details. Zittrain concurred, citing the fact that there may be more than 20 other software products on our computers that engage in the similar behaviors. In other words, it's standard industry practice. Without having the list of data Microsoft collects in front of him, Zittrain said the question then is whether or not the information being sent back to Microsoft constitutes a violation of privacy. Looking at the list of data that Microsoft's collects (according to Pamela Jones research on Groklaw), you could make arguments that swing in either direction. For example, Web sites routinely collect the IP address of the computers that visit them. So, what's the big deal? Well, recording that information on a daily basis (and mapping it to one computer as Microsoft could have easily done when WGA was first reporting back to Microsoft on a daily basis, a practice it has since discontinued), could result in a map of the movements of that computer. That said, no personal identifiers appear to have been passed and the list of fields is probably a superset if not a direct match to the ones Microsoft has been using to map software licenses to physical computers as a part of its Windows Product Activation program (WPA, Microsoft's other anti-piracy technology). WPA uses unique information about a computer to create a fingerprint to which software licenses can be assigned. If the fingerprint changes (which has happened to me when moving a virtual machine-based installation of Windows XP from one computer to another), WPA wakes up and asks for revalidation. The bottom line? WGA is an integral part of the latest version of Microsoft's online update service and if what Microsoft says is true about its disclosure that it would be collecting information from our computers when we first installed Windows Update (I don't have a copy of the EULA that accompanied the original Windows Update installation), the spyware accusation won't hold up.

While it is a fact that the End User License Agreement that originally came as a part of of the installation of the second WGA software component (WGA Notifications) had the wrong text in it (the result of which may have been a non-binding agreement between you and Microsoft), this was simply sloppiness and lack of attention to detail on Microsoft's behalf. Unless someone can find an internal email that suggests that (a) Microsoft realized it forgot to get users to agree to some legalese during the installation of the first component (WGA Validation) and (2) then tried to recover from that mistake by sneaking the necessary langugage into the second EULA (thereby attempting to retroactively cover itself), there's little or no benefit to Microsoft if its customers agree to something that has the wrong language in it. It was clear from my phone interview with Lazar that Microsoft didn't understand my original complaint about the mismatch between what was installed second (WGA Notifications) and the EULA users were asked to accept. At the moment that I reviewed the details of the mismatch with him on the phone -- where the EULA refers to WGA Validation (even in its title) when it should refer to WGA Notifications -- there was a palpable change in the tone of the conversation which began with Lazar saying "Now, I'm freaking out" and that he'd have to get back to me. Clearly, he recognized that something was amiss and although he never got back to me (even after I reminded Microsoft's PR agency that I was waiting for the results of whatever internal inquiry it was that Lazar was conducting), Microsoft has since changed the EULA that's delivered with WGA Notifications to one that's more in alignment with the software component being downloaded. Clearly, the company recognized its mistake and took action. And just to be clear, there is no doubt in my mind that this was a mistake. Lazar genuinely sounded stunned on the phone as I pointed out the mismatch to him. Regarding a wrongly worded EULA, Zittrain agrees that there's not much to get excited about in terms of what would hold up in court. Said Zittrain, the suit might have merit "if something rises to level where it has some impact on the community-at-large or on technology as a whole rather than just a s chance to say Gotcha! and get a reward for having said it. One would want to look at the larger issues at stake."

Beyond the potential spyware accusations, there was also the issue of Microsoft automatically installing what, by its own admission, is pre-release software onto our systems. To some extent, this is tangentially connected to an issue raised in the second lawsuit that legitimately licensed installations of Windows are being denied access to the updates they deserve because they've been falsely identified as pirated copies. Ed Bott turned an official Microsoft statistic against the company when he pointed out that as many as 20 percent of WGA installations are failing, but not because the version of Windows in question is pirated. Amidst concerns, Microsoft has issues a knowledge base article with instructions on how to disable or completely uninstall WGA Notifications (but not WGA Validation -- the component that "phones home"). While false positives can cause a lot of grief, making them grounds for a lawsuit is a completely different ball game. Back in the 90's, when I was director of PC Week's testing labs (now eWeek Labs), Larry Seltzer taught me that all software is beta software, regardless of whether the vendor says its beta, pre-release, or shipping. To this day, his words echo in my head because it's so true. While vendors may have some secret internal threshold that all software must cross before it can be considered "shipping software" (or RTM -- "released to manufacturing"), the truth of the matter is that all software is buggy and prone to malfunction. This is especially so of one-size fits all software that must work in a nearly infinite number of end-user configurations any one of which could foil that software's normal operation. Personal firewalls and anti-spyware products are notorious for stopping what would otherwise be legitimate behavior, many times without the end-user's understanding of what's going on. But the point is, all software will malfunction whether the vendor says it's shipping or not and WGA is no different. Although he wasn't directly addressing this point, Zittrain pointed out that harm and remedy matters. Were legitmately licensed end-users harmed (for example, have people lost functionality as a result of WGA) and is Microsoft unwilling to remedy the problem? "As long as they have a way to deal with the false postives, it's hard to complain" said Zittrain. Microsoft has been mum, so it's hard to know what the company's prescriptions for false positives are. But here again, I'm going with bad form and sloppiness; stuff that's hard to sue for. I know Microsoft well enough to know that it would be more than willing to remedy a situation where a legitimate licensee was falsely identified as "a pirate" and being denied certain updates. With WPA, Microsoft provided a plainly visible toll-free phone number in case there was a problem. Microsoft may not have done that here (the bad form) but I'm not sure that we can draw a line from here to a lawsuit until Microsoft is clearly denying updates to people who deserve with no recourse. Software fails.

Ultimately, at the end of the day, the mistakes made by Microsoft throughout this process (and there were many) are ones that the company will have to answer to in the court of public opinion more than any other court. Provided that it's working within the boundaries of the laws and anti-trust remedies that govern its operation, Microsoft is entitled to protect its intellectual property with the sorts of techniques employed by its WGA technology.

In the bigger picture though, it has to decide if the way in which it goes about rolling out such services -- services that Microsoft knows all-too-well that its customers will be sensitive to -- will yield the sort of ROI the company is looking for. Does the potential revenue from a pirate crackdown outweigh the potential loss of legitimate customers who frown upon such practices? By overcommunicating at every opportunity to do so when dealing with software that phones home or that could limit the functionality of your computer -- and by overcommunicating, I mean lots of in your face repitition, links to everything relevant, and display of contact information in the event something goes awry -- Microsoft (and any other software company for that matter) runs far less of a risk of really upsetting its customers to the point that they start seeking other solutions. It's something Microsoft needs to think about given that more and more of those solutions are turning up every day.

Disclosure: In the spirit of media transparency, I want to disclose that in addition to my day job at ZDNet, I'm also a co-organizer of Mashup Camp and Mashup University. Microsoft, which is mentioned in this story, is a sponsor of both upcoming events. For more information on my involvement with these events, see the special disclosure page that I've prepared and published here on ZDNet.